Last updated: 2024-11-07 21:06:00.194984 File source: link on GitLab
Learn DevOps practices and how your organization works.
Maintain relationships with Developers, QA, and Operations teams.
Do not fail builds unless you are at maturity level 3 or 4.
Do not run any tool which takes more than 10 minutes in CI/CD pipelines.
Create separate jobs for each tool/scan.
Roll out tools/scans in phases(iteratively).
Do not buy tools that don’t provide APIs or CLIs.
Verify that tool vendors can do incremental/baseline scans.
Do not be afraid to create custom rules.
Try to do everything as code.
Write documentation wikis.
Last updated: 2024-11-07 21:06:00.446615 File source:
Before diving into this please read:
Get yourself familiar with our Vulnerability Management Software:
This document aims to provide a comprehensive overview of the security pipeline architecture implemented in NuNet. It is designed to serve as an informative guide for developers, and stakeholders involved in the software development and deployment process. The primary focus is to detail the various stages of the pipeline, the security tools integrated at each stage, and the specific roles these tools play in enhancing the security of the software development lifecycle. By outlining the workflow, tool specifics, and the conditions under which the pipeline is triggered.
The security tools are applied in different stages of the pipeline workflow. These tools are:
Commit
Secret Detection
Dependency Scanning
Coverage Fuzz Testing (Not in use)
Build
Container Scanning
Test
API Security (Not in use)
Deploy
Operational Container Scanning (TBD)
While GitLab's SAST framework supports many programming languages, at NuNet, our primary programming languages are Python, Golang and JavaScript.
This pipeline applies to both container and binary projects.
This pipeline is triggered on merge request to every branch.
It is run on the test (or Security-Test-1) stage.
The Secret Detection tool scans repositories to help prevent secrets from being exposed during commits. The primary Secret Detection tool is Gitleaks.
This pipeline applies to both container and binary projects.
This pipeline is triggered on merge request to every branch.
It is run on the test (or Security-Test-1) stage.
This stage analyzes an application's dependencies for known vulnerabilities.
This pipeline is currently disabled but can be configured to run every branch commit.
It is run on the test (or Security-Test-1) stage.
The container scanning tool inspects docker images for known vulnerabilities.
After building the docker image, the following tools scan the built containers.
This pipeline is triggered on merge request to every branch.
This stage is run on the test (or Security-Test-1) stage, primarily after the build stage.
Static Depth
Run SAST scans with minor tweaks to rules. ✅
Run SCA scans with minor tweaks to rules. ✅
Run Secret scans with minor tweaks to rules. ✅
Dynamic Depth
Run DAST scans with minor tweaks to baseline settings. (Binary case) ❌
Run DAST scans with minor tweaks to baseline settings. (Container Scanning) ✅
Intensity
Scans to be twice a month. Frequency here is too much, every commit on every branch
Consolidation
The findings in a vulnerability register after analysis. Vulnerability Management Process designed for this purpose
Last updated: 2024-11-07 21:05:59.891036 File source:
Please refer here for complete picture of NuNet Security Pipeline:
Open-source application vulnerability management correlation and security orchestration tool used for management dashboard.
Each product represent a repository
Each Engagement represents a workflow, which was executed with each commit/PR to master, staging and develop branch
Each Commit to develop
,staging
,main
branches
Each Pull Request/Merge Request to develop
,staging
,main
branches
Binary
Container
1.1.5.1 Tools in Container Pipeline
1
2
3
1.1.5.2 Tools in Binary pipeline
1
2
3
All merge requests will be scanned by Gitlab and outputs pushed to DefectDojo, Security Team will be focused on Critical and High severity issues from defectDojo.
Security Team will use DefectDojo board to create tickets which are resultant of Pentest, community tests, any Bug Bounty report that we receive, including the external auditing.
Issue Sync to DefectDojo: All security issues originating from Security Pipeline are synced to DefectDojo. This serves as a centralized platform for managing and tracking security vulnerabilities.
Prioritization: Due to the potentially large volume of issues, there is a focus on prioritizing Critical and High severity issues from DefectDojo. This prioritization strategy helps the team concentrate on addressing the most impactful vulnerabilities first.
Security Board for Ticket Creation: A Security Board is used as a platform for creating tickets based on the prioritized Critical and High severity issues. This board could be a visual representation, possibly using a a Security Vulnerabilities Repo and creating issues on that, where the security team manages and tracks the progress of security-related tasks.
Ticket Creation Criteria: Tickets are created on the Security Board for issues deemed Critical and High severity in DefectDojo. These tickets likely include detailed information about the nature of the vulnerability, its potential impact, and steps to remediate.
Source of Issues: The issues that contribute to the creation of tickets come from various sources, including Pentests, community tests, Bug Bounty reports, and external auditing. This comprehensive approach ensures that security vulnerabilities from different testing methodologies are considered. We can separate issues using labels, in that way we can measure, monitor and prioritise them.
Since, a lot of issues won't be relevant in our case, be it a False Positive or not relevant in our environment we will provide developers/service owners a possibility to mark it as exception. This sheet will be maintained and issue will be verified for exception by security team through #security slack channel.
Exception Marking by Developers/Service Owners: Developers or service owners have the ability to mark certain security issues as exceptions. This could be due to the issues being false positives or not applicable to your specific environment.
Maintaining an Exception Sheet: A centralized sheet or database is maintained to document these exceptions. This sheet serves as a record of issues that have been marked as exceptions, along with relevant details such as the reason for the exception and the individuals responsible.
Verification by Security Team: The security team is responsible for verifying the exceptions. This involves a thorough review of the marked issues to ensure that they are indeed false positives or not applicable in the given context.
Communication Through Slack Channel: The #security Slack channel is used as a communication platform for the security team to discuss and verify the exceptions. This allows for collaboration and transparent communication within the team.
Service Level Agreements in place to fix the vulnerabilities in defined period of time e.g. 7 days for Critical/High vulnerabilities
We may introduce a system of points/credit given to the service, and deducted on number of issues present in the service, when the score/credit goes to 0 or negative, the service owners cannot move forward with their development without fixing the issues.
Service Level Agreements (SLAs) for security vulnerabilities are agreements that define the expected response time, resolution time, and other terms related to addressing and fixing security vulnerabilities within a system or application. These agreements are crucial for organizations to ensure a timely and effective response to security issues.
Technical Debt: Technical debt refers to the additional work that arises when a development team takes shortcuts or defers necessary work during the software development process. It often results from choosing expedient solutions over more robust ones. Over time, like financial debt, technical debt can accumulate and may need to be "repaid" through activities such as refactoring or improving the codebase.
Error budgets in the context of SRE likely refers to the Site Reliability Engineering (SRE) approach, which is a set of practices and principles developed by Google for managing large-scale, reliable software systems. Here's a breakdown: Error Budgets: In the context of Site Reliability Engineering (SRE), an error budget is a concept used to quantify the acceptable level of service disruptions or errors that a system can experience within a given time frame. The idea is to set a threshold for the acceptable amount of downtime or errors, and if the system's performance exceeds this threshold, it triggers a reassessment of the development and release processes. Error budgets are a way of balancing reliability with the need for continuous development and innovation.
A Security Champions Program is an initiative within an organization that aims to enhance and promote security awareness, knowledge, and best practices among its development and operational teams. The program typically involves selecting and empowering individuals from various departments to act as "security champions" or advocates within their respective teams. Here are key aspects of a Security Champions Program:
Selection of Champions: Identify individuals from different teams or departments who have an interest in security and demonstrate a willingness to contribute to improving security practices.
Training and Education: Provide specialized training and education to the selected security champions. This can include sessions on secure coding practices, threat modeling, incident response, and other relevant security topics.
Roles and Responsibilities: Define the roles and responsibilities of security champions. They often act as liaisons between their teams and the central security team, helping to disseminate security information and best practices.
Advocacy and Communication: Security champions serve as advocates for security within their teams. They communicate security initiatives, updates, and best practices, helping to bridge the gap between security teams and other departments.
Collaboration with Security Teams: Foster collaboration between security champions and the central security team. Security champions may participate in regular meetings with the security team to discuss ongoing projects, emerging threats, and ways to improve security measures.
Code Reviews and Best Practices: Encourage security champions to participate in code reviews and promote secure coding best practices within their teams. They can help identify and address security issues at the development stage.
Incident Response Training: Provide incident response training to security champions so that they are better equipped to handle security incidents within their teams and can act as first responders in the event of a security incident.
Feedback Loop: Establish a feedback loop where security champions can provide insights, concerns, and feedback to the central security team. This helps in continuously improving the security program.
Recognition and Rewards: Recognize and reward the efforts of security champions. This can include acknowledgment, certificates, or other incentives to motivate individuals to actively contribute to the security program.
Continuous Improvement: Regularly assess and refine the Security Champions Program based on feedback and evolving security needs. This ensures that the program remains effective and aligned with organizational goals.
TL;DR Write high level summary with impact Example: An Unauthenticated SoluM API Swagger Interface was found which could control the Facility’s systems i.e. CRUD operations on ESL, Cloud, APs, Picking System, Station, Packing, etc. Which could be used by any malicious entity to hinder in the production.
Description/summary and business impact: Write the details of vulnerability and its business impact Example:
The Solum Gateways are used to send information to the Electronic Shelf Labels. They support PoE and use the frequency; 868Mhz.
The API is unauthenticated and CRUD operations can be performed on ESL, Cloud, APs, Picking System, Station, Packing, etc.
Which could be used by any malicious entity can change the labels which could impede in the production.
Impacted services/components/endpoints: Here you can mention endpoints and service which is impacted Example: http://10.200.240.10:9001/swagger-ui.html
[Optional] Steps to reproduce: Steps to reproduce a vulnerability Example:
Open the url in browser: http://10.200.240.10:9001/swagger-ui.html
You will get access to swagger UI with CRUD operations
Mitigation steps: Write detailed mitigation steps for Dev Team to understand and fix the vulnerability Example:
Authentication and Authorization:
Implement authentication and authorization mechanisms for accessing the Solum API Swagger UI. This could involve using API keys, tokens, or integrating with an existing authentication system.
Ensure that only authenticated users with the necessary permissions can access the API documentation.
Access Control Lists (ACL):
Configure access control lists to restrict access to the Swagger UI based on IP addresses, user roles, or groups.
Whitelist only trusted IP addresses that are allowed to access the documentation.
HTTPS Encryption:
Ensure that the Swagger UI is accessed over HTTPS to encrypt the communication between the user's browser and the server.
Use SSL certificates from trusted certificate authorities.
Disable Swagger UI in Production:
Consider disabling the Swagger UI in production environments to prevent unintentional exposure of sensitive API documentation.
CVSS Score: Calculate using: https://www.first.org/cvss/calculator/3.1
Likelihood of exploitation: 5/5 [Critical]
Impact: 5/5 [Critical]
Overall risk score: 5/5 [Critical]
Last updated: 2024-11-07 21:06:01.223479 File source:
Get yourself Familiar with Secure Coding Guidelines here:
Get yourself familiar with defect dojo here:
See if there are any High/Critical Severity issues found with the commit associated with PR/MR
Login to defectDojo
Go to Actives engagements
Here each engagement correspond to the commit, product gives you information about the repo, each product corresponds to the repo
Click on engagement, it will give you information about the branch, commit hash, findings and other information
Click on findings, it will gives you information about the findings, if there is any finding with high or critical this PR is not suitable for merge.
If the issue/vulnerability is easily understood by developer and can be fixed, then developer should fix it.
If the vulnerability/issue needs enrichment then create an issue on the repo using ticketing template from here:
Make sure to include secvuln label
assign it to developer
If the vulnerability cannot be fixed add the label to the ticket as exception along with secvuln and include the reason for the decisions in the comment.
(TBD)
is used for secret detection in repositories.
The primary tool for scanning application dependencies is .
(Default Gitlab container scanner)